Professional Documents
Culture Documents
(Microsoft Word
(Microsoft Word
1. 目的...........................................................................................4
2. 實作項目 ..................................................................................4
3. 實作架構設計 ..........................................................................4
3.1 構想 ................................................................................................................. 4
4. 實作需求 ..................................................................................8
4.1 Samba 與 Windows 整合方針 ......................................................................... 8
4.2.2 建立 CA............................................................................................... 15
1/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(5) 驗証憑証是否可用.......................................................................... 19
4.2.3(防火牆+代理伺服器 + DHCPD)設定.......................................... 19
(1) 修改/etc/squid/squid.conf............................................................... 22
(2) 建立/var/spool/squid........................................................................ 23
(4) 設定/etc/dhcpd.conf......................................................................... 24
(5) 防火牆設定...................................................................................... 24
(v) 轉移帳號.......................................................................................... 56
(vi) 特別注意事項................................................................................. 56
(ix) 加入網域......................................................................................... 59
(x) 使用登入.......................................................................................... 62
(xi) 確認完成寫出................................................................................. 63
(xiii) 建立 CA 的流程........................................................................... 67
5. 管理 ........................................................................................67
5.1 samba 管理 ..................................................................................................... 71
6. 改進與建議心得.....................................................................88
3/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
1. 目的
利用 openldap 與 samba 整合取代 win2k/win2k3 ad 或 pdc,並有效的降低 TCO。Openldap 與
samba 結合執行速度遠高於 win2k/win2k3 ad,並且可以與 linux 中個項服務整個結合如 squid
等。
2. 實作項目
(1) Samba 與 Windows 整合
a. 檔案與目錄權限支援 ACL 控管
b. 使用者環境整合:使用者設定檔,家目錄
c. SSO(Single Sign-On)支援:PAM,Winbind
(2) PROXY 驗證
3. 實作架構設計
3.1 構想
4/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
5/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
6/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
註解 [fan1]: 若 Samba 用於
Windows 客戶端對
服器間的認證。
支援「starttls」協定 X X
註解 [fan3]: Kerberos 已穩固
支援 SASL X
地整合到主動式目錄中。
NT 客戶端認證 X X 透過 Samba(註 1)
註解 [fan4]: 雖然主動式目
W2K 客戶端認證 X X 透過 Samba(註 2)
錄可對外部相關的 Kerberos
Linux 客戶端認證 透過 透過 winbind 或 X 伺服器作認證,但接著主動式
winbind LDAP 目錄網域會再也不能用來對
基礎的電腦作認證。
使用獨立/高階 Kerberos 服務的可能性 X(註 4) X
註解 [fan5]: 主動式目錄在
對屬性和物件管理存取權限(ACLs) X X
「混合模式」中的 Windows
委派管理任務 X X
2000 DC 和 Windows NT 4
BDC 之間採用主從複製。
註解 [fan6]: 主動式目錄在
「原生模式」下使用多重主控
主從複製 X X(註 5) X
站複製(其中 Windows
多重主控站複製 X(註 6) X(註 7) 2000/2003 式網域獨佔地使
表格 1 NTDS、主動式目錄和 OpenLDAP 功能的一般性比較 用)
。
註解 [fan7]: 多重主控站複
製在 OpenLDAP 上被認為是
3.2 實際作業 實驗性的,且預設為未啟動。
7/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
3.3 認證方式
(1) ldap->pam
(2) pam->ldap
4. 實作需求
實作需求
8/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
4.2 環境建立流程
4.2.1 LDAP 設定
(1) /etc/openldap/slapd.conf
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /etc/openldap/schema/local.schema
pidfile /var/run/ldap/slapd.pid
9/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
# logging
loglevel 256
##############################################################
# database definitions
##############################################################
database bdb
suffix "dc=homeland,dc=net"
rootdn "uid=root,ou=Users,dc=homeland,dc=net"
rootpw {SSHA}
# Checkpoint the bdb database after 256kb of writes or 5 minutes have passed
# since the last checkpoint
checkpoint 256 5
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberuid eq
index cn,mail,surname,givenname eq,subinitial
# samba searches on sid
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
10/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
access to *
by dn="uid=root,ou=Users,dc=homeland,dc=net" write
by * read
access to *
by group="cn=Replicator,ou=Groups,dc=homeland,dc=net" write
by * read
(2) /etc/openldap/slapd.access.conf
11/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLast
Set
by self write
by dn.exact,expand="uid=root,ou=Users,$2" write
by group.expand="cn=Domain Controllers,ou=Groups,$2" write
by group.expand=“cn=Replicator,ou=Groups,$2” write
by anonymous auth
by * none
by anonymous read
# Allow users in the domain to add entries to the "global address book":
# For use with Evolution, the attrs list could be modified to be:
# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
# if evolutionperson.schema and calendar.schema are available
access to dn.regex="^([^,]+,)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=children,entry,inetOrgPerson
by dn.sub,expand="ou=Users,$2" write
by group.expand=“cn=Replicator,ou=Groups,$2” write
by users read
by anonymous read
(3) /etc/openldap/ldap.conf
URI ldap://127.0.0.1
BASE dc=homeland,dc=net
HOST 127.0.0.1
TLS_CACERT /etc/ssl/cacert.pem
13/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
TLS_REQCERT try
(4) /etc/ldap.conf
nss_base_passwd ou=Users,dc=homeland,dc=net?sub
nss_base_shadow ou=Users,dc=homeland,dc=net?sub
14/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
nss_base_group ou=Groups,dc=homeland,dc=net?sub
nss_base_hosts ou=Computers,dc=homeland,dc=net?sub
(5) 使用 drakauth
Dn=Dc=homeland,dc=net
Host=127.0.0.1
既可改變認證架構
4.2.2 建立 CA
(1) 建立 rootCA
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
15/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
看到
./demoCA/crl 電子證書撤銷列表 (Certificate Revocation List)
./demoCA/newcerts 備份所有經這個 CA 簽署過的電子證書
./demoCA/private CA 的私有區,存放了不可以外洩的資料,例如私鑰
./demoCA/private/cakey.pem CA 的私鑰
./demoCA/index.txt
./demoCA/cacert.pem CA 的證書
./demoCA/serial
16/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
./demoCA/certs
17/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:33:E4:E2:24:2E:29:87:C2:AA 5:FC:76:A6:5F:06:69:78:E9:90
X509v3 Authority Key Identifier:
keyid:74:B5:A3:12:4A:9E:4D:F2 1 1:00:AF:F3:26 B:3F:9A A:7C:10
DirName:/C=TW/ST=Taiwan/L=Taipei/O=CA
Servies/OU=rootCA/CN=homeland.net/emailAddress=root@homeland.net
serial:00
(5) 驗証憑証是否可用
---
19/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
Server certificate
subject=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
issuer=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
---
Acceptable client certificate CA names
/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
---
SSL handshake has read 2083 bytes and written 742 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
B1852092DAB765492123E237D9473E88E1EA0A0907C8BBA092650329E46F22E9
Session-ID-ctx:
Master-Key:
36A166C427DB3BCB108FA56C57C4CB8323C38E41D3BFDA44BA58B8CCB92DF30977DE9B
21D58D70360937993936C8D22F
Key-Arg : None
Start Time: 1137034912
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
20/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
subject=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
issuer=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
---
Acceptable client certificate CA names
/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
---
SSL handshake has read 2083 bytes and written 3024 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
101B8D9741E8ADF5FB4E0C1A1132B1B287BEF52D9AE980D6D20C7C155856326F
Session-ID-ctx:
Master-Key:
400DE182749158EB0A0EFF3DE8E4319257844F98F0FB31FB06D7E1C6C3EF1F572B9DA9D3
34701079C345CDCE71DD5F61
Key-Arg : None
Start Time: 1137035176
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
(防火牆+代理伺服器
4.2.3(防火牆 代理伺服器 + DHCPD)
)設定
21/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(1) 修改/etc/squid/squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 9600 16 256
cache_store_log none
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow password
http_access deny manager
22/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(2) 建立/var/spool/squid
建立/var/spool/squid
Squid –z 就完成建立
(3) 修改/etc/pam.d/squid
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
23/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(4) 設定/etc/dhcpd.conf
authoritative;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
# default gateway
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
(5) 防火牆設定
說明
Eth0->對外 192.168.1.1
24/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
Eth1->對內 192.168.0.1
使用 iptables 與 shorewall 配合
修改部份為/etc/shorewall 下所有設定檔
注意到 shorewal 使用 shorewall-3.0.3-1mdk
1. vi shorewall.conf
STARTUP_ENABLED=Yes
2. vi zone
fw firewall
net ipv4
loc ipv4
3. vi masq
eth0 eth1
4. vi interfaces
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect dhcp,tcpflags,detectnets,nosmurfs
5. vi policy
loc net ACCEPT
$FW net ACCEPT
net all DROP info
all all REJECT info
6. vi rules
Web/ACCEPT net $FW
Web/ACCEPT loc $FW
(6)squid-clamav 防毒方案
1. 下載 squidclam-0.11-1mdk.src.rpm
3. 安裝 squidclam-0.11-1mdk.i586.rpm
urpmi squidclam-0.11-1mdk.i586.rpm
proxy=http://127.0.0.1:3128
url=http://127.0.0.1/antivir.php
tmp=/tmpdata/squidclam-XXXXXXXX
rldb=200
fsize=202400
5. 修改 /etc/fstab 加入下面一行,然後掛載
tmpfs /tmpdata tmpfs rw,noexec 0 0
26/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
mkdir /tmpdata
mount /tmpdata
chown squid.squid /tmpdata
6. 確認是否掛載成功
Df (英文小寫)
要有下面此行字,才算成功
tmpfs 157M 0 157M 0% /tmpdata
27/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
7. 修改 /etc/squid/squid.conf
黃底紅色為新加入的部份
hierarchy_stoplist cgi-bin ?
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
redirect_program /usr/sbin/squidclam
redirect_children 15
cache_dir diskd /cache/01 3500 22 256
cache_dir diskd /cache/02 3500 22 256
cache_dir diskd /cache/03 3500 22 256
cache_store_log none
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
refresh_pattern \.gif$ 10080 100% 43200 override-expire
refresh_pattern \.jpg$ 10080 100% 43200 override-expire
refresh_pattern . 960 90% 43200 reload-into-ims
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
28/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
8. 確認是否運作
Squid –k reconfigure (會停一下,是正常現象)
29/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
Ls –lsa /tmpdata
有下面的資料表示成功。
4.2.4 SAMBA 設定
(1) /etc/samba/smb.conf
建立完成要驗證 Testparm –t /etc/smb.conf 有錯誤就要更改才可以
# Global parameters
[global]
dos charset = CP950
unix charset = CP950
display charset = CP950
workgroup = WORKGROUP
netbios name = SAMBA3PDC
server string = Samba Server %v
interfaces = eth0, eth1, lo
bind interfaces only = Yes
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
enable privileges = Yes
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/log.%m
30/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
root preexec = /usr/bin/ntlogon -u '%u' -g '%g' -o %a -d /var/lib/samba/netlogon/
root postexec = rm -f '/var/lib/samba/netlogon/%u.bat'
[Profiles]
path = /var/lib/samba/profiles
valid users = %U, "Domain Admins"
force user = %U
read only = No
guest ok = Yes
profile acls = Yes
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
32/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
[print$]
path = /var/lib/samba/printers
valid users = "@Print Operators"
write list = "@Print Operators"
inherit permissions = Yes
guest ok = Yes
[pdf-gen]
comment = PDF Generator (only valid users)
path = /var/tmp
printable = Yes
printing = bsd
print command = /usr/share/samba/scripts/print-pdf "%s" "%H" "//%L/%u" "%m" "%I"
"%J" &
lpq command = /bin/true
lprm command = lprm -P'%p' %j
[tmp]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
(3) /etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
33/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
slaveDN="uid=root,ou=Users,dc=homeland,dc=net"
slavePw="password"
masterDN="uid=root,ou=Users,dc=homeland,dc=net"
masterPw=" password "
(4) /etc/smbldap-tools/smbldap.conf
使用 net getlocalsid 取得 sid
/etc/smbldap-tools/smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
ldapTLS="1"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/ssl/cacert.pem"
# LDAP Suffix
# Ex: suffix=dc=homeland,dc=net
suffix="dc=homeland,dc=net"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=homeland,dc=net"
idmapdn="ou=Idmap,${suffix}"
35/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="120"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
4.2.5 BIND 設定
(1) /etc/named.conf
// generated by named-bootconf.pl
38/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
controls {
inet 127.0.0.1 port 953 allow { any; } keys { "key"; };
};
options {
version "";
directory "/var/named";
pid-file "/var/run/named/named.pid"; // Put pid file in working dir
dump-file "/var/tmp/named_dump.db";
statistics-file "/var/tmp/named.stats";
zone-statistics yes;
coresize 100M;
auth-nxdomain yes;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
//
query-source address * port *;
transfers-in 20;
transfers-per-ns 2;
lame-ttl 0;
max-ncache-ttl 10800;
blackhole { bogon; };
40/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
};
//
// a caching only nameserver config
//
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
};
zone "homeland.net" {
type master;
file "homeland.net.hosts";
allow-update { key "key"; };
};
zone "0.168.192.in-addr.arpa" {
type master;
file "192.168.0.rev";
allow-update { key "key"; };
};
(2) /etc/rndc.conf
options {
default-server localhost;
default-key "key";
default-port 953;
};
server localhost {
key "key";
};
key "key" {
algorithm hmac-md5;
secret
"7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBfYJ0RahdkHtEQhN3LcF
0qLsLazIRQ/w==";
};
做法:
1. dnssec-keygen -a hmac-md5 -b 512 -n HOST localhost
2. 產生兩個檔案
Klocalhost.+157+26421.private
Klocalhost.+157+26421.key
3. 查看內容
甲、 [root@localhost rndc]# cat Klocalhost.+157+26421.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
42/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
Key:
7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBfYJ
0RahdkHtEQhN3LcF0qLsLazIRQ/w==
乙、 [root@localhost rndc]# cat Klocalhost.+157+26421.key
localhost. IN KEY 512 3 157
7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBf
YJ0RahdkHtEQhN3LcF0qLsLazIRQ/w==
4. 將產生的 Klocalhost.+157+26421.key
(3) /var/named/
A./var/named/homeland.net.hosts
$TTL 1d
@ IN SOA mail.homeland.net. root.mail.homeland.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS mail.homeland.net.
IN MX 10 mail.homeland.net.
$ORIGIN homeland.net.
mail IN A 192.168.0.1
dns IN CNAME mail.homeland.net.
proxy IN CNAME mail.homeland.net.
rootca IN CNAME mail.homeland.net.
ldap IN CNAME mail.homeland.net.
www IN CNAME mail.homeland.net.
ftp IN CNAME mail.homeland.net.
workgroup IN CNAME mail.homeland.net.
43/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
B. /var/named/192.168.0.rev
$TTL 1d
@ IN SOA mail.homeland.net. root.mail.homeland.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS mail.homeland.net.
$ORIGIN 0.168.192.in-addr.arpa.
;servers
1 IN PTR mail.homeland.net.
1 IN PTR dns.homeland.net.
1 IN PTR proxy.homeland.net.
1 IN PTR ftp.homeland.net.
1 IN PTR ldap.homeland.net.
1 IN PTR www.homeland.net.
1 IN PTR rootca.homeland.net.
1 IN PTR workgroup.homeland.net.
//workgroup 指的是 samba 的 domain
C./var/named/localhost.rev
$TTL 1d
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
44/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
1 IN PTR localhost.
(4) /var/named/logging.conf
logging {
channel security_channel {
file "/var/log/named/security.log" versions 4 size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
channel default_channel {
file "/var/log/named/default.log" versions 4 size 10m;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-in_channel {
file "/var/log/named/xfer-in.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-out_channel {
file "/var/log/named/xfer-out.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
45/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
channel update_channel {
file "/var/log/named/update.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel notify_channel {
file "/var/log/named/notify.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
};
(5) /var/named/bogon_acl.conf
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
46/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
89.0.0.0/8;
90.0.0.0/8;
91.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
121.0.0.0/8;
122.0.0.0/8;
123.0.0.0/8;
124.0.0.0/8;
125.0.0.0/8;
48/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
126.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.2.0/24;
// 192.168.0.0/16;
197.0.0.0/8;
201.0.0.0/8;
224.0.0.0/3;
};
a.修改 /etc/named.conf(黃底紅字為修改的部份)
// generated by named-bootconf.pl
controls {
inet 127.0.0.1 port 953 allow { any; } keys { "key"; };
};
options {
version "";
directory "/var/named";
pid-file "/var/run/named/named.pid"; // Put pid file in working dir
dump-file "/var/tmp/named_dump.db";
49/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
statistics-file "/var/tmp/named.stats";
zone-statistics yes;
coresize 100M;
auth-nxdomain yes;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
//
query-source address * port *;
listen-on port 53 {
192.168.0.1;
127.0.0.1;
};
cleaning-interval 120;
transfers-in 20;
transfers-per-ns 2;
lame-ttl 0;
max-ncache-ttl 10800;
blackhole { bogon; };
};
//
// a caching only nameserver config
//
// for internal
view "internal" {
match-clients { 192.168.0.0/24; };
recursion yes;
zone "." {
type hint;
file "named.root";
};
51/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
};
zone "homeland.net" {
type master;
file "homeland.net.hosts";
allow-update { key "key"; };
};
zone "0.168.192.in-addr.arpa" {
type master;
file "192.168.0.rev";
allow-update { key "key"; };
};
};
// for external
view "external" {
match-clients { any ; };
recursion no;
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { key "key"; };
};
zone "100.168.172.in-addr.arpa" IN {
type master;
file "172.168.100..rev";
allow-update { key "key"; };
};
zone "." {
type hint;
52/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
};
};
c. example.com.zone
$TTL 1d
@ IN SOA www.example.com. a8832078.stmail.fju.edu.tw. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS www.example.com.
53/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
$ORIGIN example.com.
www IN A 172.168.100.1
d. 172.168.100..rev
$TTL 1d
@ IN SOA www.example.com. a8832078.stmail.fju.edu.tw. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS www.example.com.
$ORIGIN 100.168.172.in-addr.arpa.
;servers
1 IN PTR www.example.com.
4.2.6 後續處理
(i)建立 ntlogon.bat
建立 ntlogon.bat
使用 vi /var/lib/samba/netlogon/ntlogon.bat
請在 :set ff=dos 模式下編輯
net time \\SAMBA3PDC /set /yes
net use M: /home
確認是否為 dos 檔案
Od –c ntlogon.bat
\r \n 表 M$-DOS 格式的斷行,這是我們要的格式
\n 表 Unix 格式的斷行
54/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
Example:
0000000 n e t t i m e \ \ S A M B A
0000020 3 P D C / s e t / y e s \r \n
0000040 n e t u s e M : / h o m e
0000060 \r \n
0000062
(ii) 確保漫遊檔案可以成功
確保漫遊檔案可以成功
Smb.conf -> [Profiles]
(iv) 更新 SID
smbldap-passwd root
(v) 轉移帳號
cp /etc/passwd /etc/shadow /tmp/
移除 passwd 與 shadow 中不要的帳號
只留下 root nobody bin daemon messagebus
export user
perl -i -pe's@^$ENV{user}:(.*)\n@@' /tmp/passwd
perl -i -pe's@^$ENV{user}:(.*)\n@@' /tmp/shadow
cd /usr/share/doc/smbldap-tools-0.8.7/doc
./smbldap-migrate-unix-accounts -a -P /tmp/passwd -S /tmp/shadow
cp /etc/group /tmp/
移除 group 中不要的帳號
只留下 root bin daemon
export group
perl -i -pe's@^$ENV{group}:(.*)\n@@' /tmp/group
cd /usr/share/doc/smbldap-tools-0.8.7/doc
./smbldap-migrate-unix-groups -a -G /tmp/group
(vi) 特別注意事項
注意不要用
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false ‘%u’
來新增電腦主機,因為不會有紅色字的部份
請採用 lam 系統
dn:
sambaSID=S-1-5-21-957364582-1604034972-1376365676-101000,ou=Computers,dc=homeland,d
56/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
c=net
cn: winxp
uid: winxp$
uidNumber: 50000
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
gecos: Computers
description: Computers
objectClass: posixAccount,sambaSamAccount,account
sambaSID: S-1-5-21-957364582-1604034972-1376365676-101000
sambaAcctFlags: [W ]
displayName: winxp
sambaPrimaryGroupSID: S-1-5-21-957364582-1604034972-1376365676-515
sambaDomainName: WORKGROUP
userPassword:
sambaPwdCanChange: 1136896009
sambaPwdMustChange: 2147483647
sambaNTPassword: B3346744060AEFFEFB62AFDAAB8A3AE1
sambaPwdLastSet: 1136896009
(vii) 建立 lam 系統
a. 下載
cd /opt
wget
http://nchc.dl.sourceforge.net/sourceforge/lam/ldap-account-manager_0.5.3.tar.gz
b. 解壓縮
tar xvf ldap-account-manager_0.5.3.tar.gz
57/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
e. config.cfg 設定
# password to add/delete/rename configuration profiles
password: password
# default profile, without ".conf"
default: lam
f. lam.conf 設定(紅色為有改變的部創)
ServerURL: ldap://localhost:389
Passwd:
usersuffix: ou=Users,dc=homeland,dc=net
groupsuffix: ou=Groups,dc=homeland,dc=net
hostsuffix: ou=Computers,dc=homeland,dc=net
domainsuffix: dc=homeland,dc=net
userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
grouplistAttributes: #cn;#gidNumber;#memberUID;#description
hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
maxlistentries: 30
defaultLanguage: en_GB.utf8:UTF-8:English (Great Britain)
scriptPath:
scriptServer:
cachetimeout: 5
usermodules: shadowAccount,inetOrgPerson,posixAccount,sambaSamAccount
groupmodules: posixGroup,sambaGroupMapping
hostmodules: account,sambaSamAccount,posixAccount
modules: posixAccount_minUID: 10000
modules: posixAccount_maxUID: 30000
modules: posixAccount_minMachine: 50000
modules: posixAccount_maxMachine: 60000
modules: posixGroup_minGID: 10000
modules: posixGroup_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA
treesuffix: dc=homeland,dc=net
58/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(viii) 建立使用者
(ix) 加入網域
1. 下載 /usr/share/doc/samba-doc-3.0.13/docs/registry 中所的 registry 檔
2. 根據客戶端來新增
3. 例如:winxp 使用
WinXP_SignOrSeal.reg
59/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
4. 選擇->變更
5 .選擇->網域->WORKGROUP->加入網域
60/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
6.使用 root 登入
61/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
8.重開機
9.完成 sso 架構
(x) 使用登入
1.開機登入
2.使用者登入
62/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
3.自動掛載
(xi) 確認完成寫出
1.登出寫回資料
2.資料存放位置
63/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
64/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(2) 使用 putty
65/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(3) 內部設定
66/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(6) 完成登入
(xiii) 建立 CA 的流程
68/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
2.確定 CA 憑證及金鑰是否產生
4.產生使用者之憑證 CSR
[root@localhost misc]# ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
a9:63:8f:f4:cc:dd:73:99
Validity
Not Before: Jan 20 07:02:05 2006 GMT
Not After : Jan 20 07:02:05 2007 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taipei
organizationName = homeland Ltd
organizationalUnitName = homeland LDAP Services
commonName = ldap.homeland.net
emailAddress = fan@homeland.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
23:56:38:E0:69:6C:DF:CD:1F:42:25:8D:DD:C0:5D:E4:DA:14:7B:9E
X509v3 Authority Key Identifier:
keyid:21:A0:DF:D1:EB:EA:3E:FE:F8:32:51:74:35:D2:E8:CF:B2:51:0F:9C
DirName:/C=TW/ST=Taiwan/L=Taipei/O=homeland Ltd/OU=homeland CA
Services/CN=homeland_CA/emailAddress=fan@homeland.net
serial:A9:63:8F:F4:CC:DD:73:98
5. 管理
5.1 samba 管理
完成會放在 /usr/src/RPM/RPMS/i586
產生套件如下
libsmbclient0-3.0.20-2.1.102mdk.i586.rpm
libsmbclient0-devel-3.0.20-2.1.102mdk.i586.rpm
libsmbclient0-static-devel-3.0.20-2.1.102mdk.i586.rpm
mount-cifs-3.0.20-2.1.102mdk.i586.rpm
nss_wins-3.0.20-2.1.102mdk.i586.rpm
samba-client-3.0.20-2.1.102mdk.i586.rpm
samba-common-3.0.20-2.1.102mdk.i586.rpm
samba-doc-3.0.20-2.1.102mdk.i586.rpm
samba-passdb-mysql-3.0.20-2.1.102mdk.i586.rpm
samba-passdb-pgsql-3.0.20-2.1.102mdk.i586.rpm
samba-passdb-xml-3.0.20-2.1.102mdk.i586.rpm
samba-server-3.0.20-2.1.102mdk.i586.rpm
samba-smbldap-tools-3.0.20-2.1.102mdk.i586.rpm
samba-swat-3.0.20-2.1.102mdk.i586.rpm
samba-vscan-clamav-3.0.20-2.1.102mdk.i586.rpm
71/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
samba-vscan-icap-3.0.20-2.1.102mdk.i586.rpm
samba-winbind-3.0.20-2.1.102mdk.i586.rpm
smbldap-tools-0.9.2-0.1.102mdk.i586.rpm
b. cd /usr/src/RPM/RPMS/i586
使用 urpmi 安裝或用 rpm –Uvh 安裝
c.修改 /etc/smbldap-tools/smbldap.conf
請用新的 smbldap.conf.rpmsave 來修改,將 smbldap.conf 的內容相同的複製至
smbldap.conf.rpmsave。完成後將 smbldap.conf.rpmsave 取代 smbldap.conf
修改內容如下(黃底紅字為修改的部份)
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-1628091772-245403179-1700601366"
masterPort="389"
# CA certificate
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=homeland,dc=net"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
#computersdn="ou=Hosts,${suffix}"
computersdn="ou=Computers,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
##############################################################################
#
# Unix Accounts Configuration
#
74/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="120"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
75/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# comment out the following line to get rid of the default banner
# no_banner="1"
d.smbldap-populate 更新所有內容
e.下載 srvtools.exe
解開使用
77/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
使用 usrmgr.exe
78/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
新增使用者(只要帳號與密碼就可以了,其他會自動處理)
使用新增帳號登入(第一次登入要修改密碼)
79/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
改好密碼
登入成功
80/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
使用 srvmgr.exe
81/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
f. 使用命令列來新增電腦
smbldap-useradd -i 電腦名稱
會詢問密碼,要鍵入才可以。
g. 要使 TLS 能運作,系統才能順利來執行。
只要修改 /etc/openldap/ldap.conf 如下就可以運作
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
TLS_CACERT /etc/ssl/cacert.pem
# TLS_CERT /etc/ssl/openldap/newcert.pem
# TLS_KEY /etc/ssl/openldap/newreq.pem
TLS_REQCERT allow
82/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
h. 要修改 /usr/share/msec/perm.4
加入下面才能確保漫遊成功。
/var/lib/samba/profiles/ nobody.nogroup 1777
5.2 samba 防毒
2.啟動防毒
service freshclam start (使防毒系統能自動更新)
service clamd start(使防毒系統啟動)
3.修改設定
a.vi /etc/freshclam.conf(防毒系統自動更新設定檔)
不用修改,採用 mandriva 預設即可
b.vi /etc/clamd.conf(防毒系統設定檔)
不用修改,採用 mandriva 預設即可
83/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
[samba-vscan]
; run-time configuration for vscan-samba using
; clamd
; all options are set to default values
; log all file access (yes/no). If set to yes, every access will
; be logged. If set to no (default), only access to infected files
; will be logged
verbose file logging = yes (為了測試是否運作,知道可以運作請停用。因為 log 量很大)
; limits, if vscan-clamav was build for using the clamav library (libclamav)
; instead of clamd
d.套用在要掃毒的區域
在 smb.conf 中
[share folder] <-想要掃毒的目錄中加入下面二行
vfs objects = vscan-clamav recycle
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
英文解擇
# You can enable VFS recycle bin and on-access virus-scanning on a per
# share basis:
# Uncomment the next 2 lines (make sure you create a .recycle folder in
# the base of the share and ensure all users will have write access to it.
# For virus scanning, install samba-vscan-clamav and ensure the clamd service
# is running
e.重新啟動 smb
service smb restart
當使用者一登入就開始啟動防毒機制。
86/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
5.3 Mandriva 昇級
87/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
6. 改進與建議心得
規劃上待增加與修正的部份
1. DFS 共用目錄支援(預留)
3. lam 系統安全增強
4. squid 記錄使用者使用流量
5. 整合 DHCP 做到 IP 控管
預留發展
1. 建立 BDC
2. 設定檔/etc/openldap/slapd.conf
加入
updatedn “uid=root,ou=Users,dc=homeland,dc=net”
updateref ldap://192.168.0.1
3. 製作 replica 目錄和空的記錄檔 replica.log
mkdir /var/lib/ldap/replica
touch /var/lib/ldap/replica/relica.log
chown –R ldap.ldap /vaar/lib/ldap
4. 修正/etc/smbldap-tools/smbldap_bind.conf
$masterLDAP=”192.168.0.1”;
5. 令 PDC 與 BDC 的網域 SID 同步
net rpc getsid
6. 刪除 BDC 上的 TDB 資料庫
net setlocalsid S-1-5-21-1231241354325465435-34123125123141412
7. 重新儲存與存取 LDAP 資料庫用的管理員
smbpasswd –w passwd
8. 確認 BDC 的網域 SID 是否與 PDC 一致
net getlocalsid
9. 啟動 BDC 的 Samba
88/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
心得
1. 根據需求來建立環境
2. 要以規劃為主,實作為輔。
(根據人月神話:開發系統的時間大多是規劃所佔
的時間為最多)
3. 步驟邏輯要清楚才能避免系統出現安全上的漏洞。
89/89